OWASP New Zealand Day 2011

Introduction

OWASP New Zealand Day 20117th July - Auckland

Introduction

Following the success of the OWASP New Zealand 2009 and OWASP New Zealand 2010 security conferences, the OWASP New Zealand Chapter is pleased to announce the return of the conference in 2011. The third OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland School of Business, which will kindly offer the same conference venue of the last two years. Entry to the event will, as in the past, be free. OWASP New Zealand Day 2011 will be held on Thursday July 7th, 2011.

For any comments, feedback or observations, please don't hesitate to contact us.

You can register for the conference here. Please note that the registration cut-off date is June 20, 2011; no registrations will be accepted on the day.

Conference dates

CFP closes: 31st May 2011

Conference Agenda due: 15th June 2011

Registration deadline: 20th June 2011

Conference date: 7th July 2011

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New ZealandMap

Registration

You are invited to attend to the OWASP Day conference at no charge (Free as in beer). However to ensure an orderly, well run event we require that all attendees register before the registration close off date (20th June 2011). At this time there will be no plan to allow "on the day registration". Registration is handled through the RegOnline event management system, available at http://regonline.com/owaspnzday2011. Please note that the registration cut-off date is June 20, 2011; no registrations will be accepted on the day.

Conference Sponsors

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

In a previous role as a full time penetration test manager, I often encountered situations where the outcome of a penetration test was affected by the preparedness of the client, the information and resources available to the testers, and the ability of the client to interpret the report. While there are abundant resources for penetration testers available to teach techniques for web application hacking, there is very little information to guide pre and post engagement activities such as scoping, logistics, and reporting.

The complexity of modern web applications means that there is a huge dependency on clients understanding what is required of them, and how to provide the appropriate information and resources to testers to get the best outcome from a penetration test.

Andrew Evans

Bio to come

Nick von Dadelszen – Lateral Security - Testing Mobile Applications

Mobile applications are the "next big thing" in application development and it seems everyone is developing them, including banks, travel companies, retail outlets and everyone else. Mobile application security requires a different focus to standard web applications and this talk discusses those differences, how to test mobile applications, and some tips and tricks from Lateral Security's experience in penetration testing mobile applications.

Nick von Dadelszen

Bio to come

Adrian Hayes - Security-Assessment.com - Web Crypto for the Developer Who Has Better Things To Do

Crypto is easy to get wrong and can be a pain to implement. This presentation will take you through practical examples of how to implement solid crypto on a number of common development platforms. We'll talk about how to store and verify passwords, how to safely transport and store backups. What's wrong with some default SSL configurations and maybe even random token generation among other things. Web app crypto should be easy and secure, not just one of those.

Adrian Hayes

Adrian Hayes is a security consultant for Security-Assessment.com in Wellington. Adrian comes from a web app development background but has jumped the fence and now spends his time hacking them.

Brett Moore - Insomnia Security - Concurrency Vulnerabilities

Concurrency vulnerabilities are not very common, as they require
specific circumstances for a vulnerable scenario to exist. However, the
consequences of such issues can be devastating and include auth bypass,
cross user account access, and purchase tampering.

This talk will discuss in detail some of the situations leading to these
vulnerabilities, and how they can be detected both at the source level and
during active testing.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Sam Pickles - F5 - A Day in the Life of a WAF

Web Application Firewalls in production get to see a large volume of malicious requests; and present a unique opportunity to discover what is really happening out in the black hat community.

In this talk, real attack examples seen in production will be presented which demonstrate the reality and relevance of the OWASP Top Ten. Attack samples and reports have been gathered from a number of sites globally and sanitised, and will be used to help understand the answers to some common questions:

- How often is my application being attacked? (more than you might think)
- What techniques are being attempted?
- Who is doing this, and why?

Additionally, some recent headline-grabbing hacks in banking and finance will be detailed at a practical level.

Sam Pickles

Sam Pickles has worked across the security industry for over ten years, in APAC, EMEA, and USA. Sam has held senior technical responsibility within many high profile IT and physical security projects across banking, government and service provider customers. During this period he has been involved in creating some of the world's largest web application firewall gateways, designed and built IT security systems and conducted network, application and hardware device penetration testing.

As an architect and security specialist with F5 Networks, Sam maintains a keen interest in web application security, is a member of OWASP and a long time attendee of chapter meetings in London. He has degrees in Physics from the University of Otago, and Computer Science from the University of Oxford.

Tales from a developer – practical tips on how to lead teams and design solutions in a way that produces secure web applications. Starting off with “why does security matter to my customers”, I’ll look at how to get organisations and teams on board and excited about security. Then mostly using .NET will show some common mistakes I’ve observed and specific examples of how solution and application framework design can mitigate some of these issues. I’ll look at difficulties in integrating a secure development lifecycle into the daily grind of project delivery and some of the struggles and pitfalls with implementing secure practices. If there’s time I’ll squeeze in some exemplar exploits as well.

Mark Young

Mark Young is a senior developer / team lead / architect at Datacom in Auckland, who has spent the last few years leading dev teams and architecting enterprise web systems, particularly in banking. Mark has a focus on web security, has been known to deliver and reproduce exploits, and has also been stung a few times by his code (or that of his team).

Websites are being compromised. Daily. Some of these attacks are sophisticated and occur without warning, but many are not. This talk will look at some widely exploited vulnerabilities in popular applications, such as authentication bypass, remote code execution & SQL injection. We will cover how they were exploited and discuss techniques to help organisations avoid becoming another statistic.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG, OWASP & Kiwicon.

Training (NEW!)

Codefather - 3 hours (9am-12pm, July 7 2011)- $250

Abstract: These days websites are under constant attack and it's incredibly easy for a developer or administrator to make seemingly minor mistakes that have catastrophic consequences.

You can't fight a war that you don't know you're waging. You can't defend your websites against attack unless you know the tricks the blackhats are using to infiltrate. This workshop outlines and demonstrates many of the latest attacks and defenses in use today.
We have 2 lab environments where attendees will learn, explore and perform real attacks against our full featured websites and each other. This is an interactive and extremely entertaining session covering hands on:
- SQL injection
- XSS
- CSRF
- Website logic abuse!

Key objectives:

Know the most common forms of attack that exist today, so they understand what the attacks hit and how

Know the techniques to project against these common attacks

Understand the steps and process to assess their systems against all attacks

Have the skills to future protect their code and to minimise the potential for new security holes

Abstract: This introductory training course focuses on the most common web application security problems; the OWASP Top 10 risks. The OWASP Top 10 covers many of the risks facing web applications every day. This training will explain each of the 10 risks, demonstrating the vulnerabilities and provide platform-agnostic recommendations for remediating these issues through the use of existing OWASP projects. The thorough explanation of vulnerabilities, exploits and remediations will leave you with a clear understanding of the OWASP Top 10 risks and how to avoid them.

This training course is a compact version of Security-Assessment.com's brand new two-day intensive secure web application development tutorial. We encourage the use the Top 10 to get organisations started with application security so developers can learn from the mistakes of other organisations. Executives can start thinking about how to manage the risk that software applications create in their enterprise.

Key objectives:

A solid understanding of common risks within web applications, as defined by the OWASP Top 10 Project

How a hacker's knowledge of these risks can lead to compromise of your web app, web server, kitchen sink..

How to avoid these vulnerabilities by employing best practise coding methodologies

Tips and tricks to architect your application securely from the get-go from a dev-turn-hacker

Call For Sponsorships (CLOSED)

The call for silver and gold sponsorships is now closed, however we are still looking for support sponsors who can provide media coverage/promotion for the event.

Following the success of the previous events in 2009 and 2010, OWASP New Zealand Day 2011 will be held in Auckland on the 7th of July, 2011. OWASP New Zealand Day is a security conference entirely dedicated to web application security. The conference is once again being hosted by the University of Auckland School of Business with their support and assistance. OWASP New Zealand Day 2011 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly non for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2011 a free, compelling and valuable experience for the audience.

The sponsorship funds collected are to be used for things such as:

Refreshments (coffee break/lunch) - we want to keep people refreshed during the day; while we certainly bring good and interesting speakers, we don't want people to go home when they become hungry.

Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.

Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.

Facts

Last year, the event was supported by 3 sponsors and attracted more than 150 participants. A lot of good feedback from the audience was received and this is the reason why we are re-organising the event. For more information on last year's event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010

The OWASP New Zealand community is strong and there are more than 160 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract a number between 150 and 200 attendees during the conference.

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 3500 NZD

Includes:

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Those who are interested in sponsoring OWASP New Zealand 2011 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<paypal>OWASP New Zealand Day 2011</paypal>

Call for Papers (CLOSED)

The OWASP New Zealand Chapter is holding the annual OWASP New Zealand Day web application security conference at the University of Auckland School of Business on July 7th, 2011. The Call For Papers is now open, and you are cordially invited to submit your stuff!

Following on from the previous two years, the conference will consist of a single track covering both technical and risk management topics. So if you'd like to share your brand new technique, detail your run-ins with .cn, .ru or Anonymous, spread fear about the cloud or drop some 0day, we'd like to hear from you.

We are looking for talks of various lengths, but ask that you keep the talk under 40 minutes long. 10-15 minute long lightning talks are welcome, and ideal if you have something you want to share that doesn't need half an hour to explain.

Other than the above, we are seeking presentations on any of the following topics:

Platform or language (e.g. Java, .NET) security features that help secure web applications

Secure application development

How to use databases securely in web applications

Security of Service Oriented Architectures

Access control in web applications

Web services security

Browser security

PCI

The timeline for submissions is as follows:

31st May 2011: The official closing date for receiving a synopsis of the presentation. 15th Jun 2011: Announcements on selected candidates will be provided.20th Jun 2011: Complete presentations will need to be submitted.

The email subject must be "OWASP New Zealand 2011: CFP" and the email body must contains the following information/sections:

Name and Surname

Affiliation

Address

Telephone number

Email address

List of the author's previous papers/articles/speeches on the same topic

Title of the contribution

Type of contribution: Technical or Informative

Abstract (up to 500 words)

Why the contribution is relevant for OWASP New Zealand 2011

If you are not from New Zealand, will your company support your travel/accomodation costs - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

PLEASE NOTE:

Due to limited budget available, expenses for international speakers cannot be covered.

If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Please submit your presentation topics and an abstract of up to 500 words to Nick Freeman and Scott Bell - nick.freeman@owasp.org & scott.bell@owasp.org

Call For Trainers (CLOSED)

We are happy to announce that training will run alongside OWASP Day this year, on July 7th 2011. The training venue will be an auditorium kindly provided by the University of Auckland School of Business, in the same building as the OWASP Day conference itself. Classes will contain up to 20 students, and each seat has a power point for laptop usage.

Two 3-hour slots will be available for training, one from 9am-12noon and a second from 2pm-5pm. As the slots are quite short, we're looking for training events that will be providing either introductory lessons in web app security, or sessions dedicated to a particular topic.

The fixed price per head for training will be $250. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:
- 25% to OWASP Global - used for OWASP projects around the world
- 25% to OWASP NZ Day - used for expenses such as catering during the conference
- 50% to the training provider.

If you have any further queries, or wish to submit a training course, please send the above information to the following email addresses:
- nick.freeman@owasp.org
- scott.bell@owasp.org

Accepted training sessions will be announced on June 15th, together with the presentations.

Conference dates

CFP close: 31st May 2011

Conference Agenda due: 15th June 2011

Registration deadline: 20th June 2011

Conference date: 7th July 2011

Conference Committee

OWASP New Zealand Day 2011 Organising Committee:

Nick Freeman - OWASP New Zealand Leader (Auckland)

Scott Bell - OWASP New Zealand Leader (Wellington)

Lech Janczewski - Associate Professor - University of Auckland School of Business